Second Payment Services Directive and the General Data Protection Regulation – Payments and Consent for Data Sharing

    View Authors January 2019

    The Second Payment Services Directive (PSD2) addressed new rules for payment services or third-party payment service providers – particularly account information service providers (AISPs) and payment initiation service providers (PISPs). Under PSD2, traditional payment service providers will need to share certain data with those third-party providers to access payment accounts (e.g., current accounts) and statement details, as well as other account information held by banks and other account servicing payment service providers (ASPSPs) where customers consent to such access. Some of that data will constitute personal data in the sense of the General Data Protection Regulation (GDPR). The sharing requirements result partly in conflicts between the two set of rules. Even after the entry into force of both legal frameworks, several uncertainties remain.