The Bank of Italy examined, among other things, the relationship between Directive (EU) 2015/2366 ("PSD2") and Regulation (EU) 2016/679 ("GDPR"), and more in general between the payment services and data protection legal framework, in its note on payments in the context of e-commerce dated 15 June 2020.
In line with Recital (89) of PSD2, it noted that GDPR applies to the provision of payment services governed by PSD2, as implemented in Italy under Legislative Decree No. 11/2010, as amended by Legislative Decree No. 218/2017 ("Decree 11"). This means, among other things, that payment service providers ("PSPs") must comply with data protection provisions and the new requirements introduced by GDPR (including the appointment of a data protection officer, the establishment of a record of processing activities etc.).
Some of the GDPR organizational measures partially overlap with those set out under PSD2 and the EBA Guidelines on the security measures for operational and security risks of payment services under PSD2 ("EBA Guidelines") (e.g. GDPR introduced reporting obligations on data breach to the national data protection authority while PSD2/EBA Guidelines provide for reporting obligations toward the local regulator in case of major security incidents) resulting in a double reporting.
In general, the Bank of Italy pointed out the need for a greater harmonization in particular with respect to the definition of sensitive data and the nature of the consent to be provided by the payment service user ("PSU").
Definition of sensitive data
With respect to sensitive data, the Bank of Italy pointed out that the definition of "sensitive payment data" under PSD2 and Decree 11 and the definition of "special categories of data" under GDPR, which are generally deemed and referred to as "sensitive data" (see Recital (10) of GDPR), do not perfectly match.
More specifically, according to Article 4(32) of PSD2 and Article 1(1)(q-quater) of Decree 11, sensitive payment data are data which might be used to carry out fraud (and expressly include personalised security credentials provided to the PSU for the purposes of authentication, i.e. in order to verify the identity of the PSU or the validity of the use of a specific payment instrument). On the contrary, the name of the account holder and the payment account number do not constitute sensitive payment data under PSD2 as well as Decree 11.
According to GDPR, instead, the special categories of data include any data related to the racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data and biometric data, or data concerning a natural person's health or sex life. It is clear that such definition does not specifically list any type of data objectively, meaning that the relevant provisions set forth by the GDPR for the processing of special categories of data shall apply every time that data falls within the scope of such definition, including in the context of the provision of payment services.
As indicated by the Bank of Italy, the definition of sensitive payment data pursuant to PSD2 and Decree 11 does not conflict with the GDPR since it is more stringent (e.g. PSD2 prohibits payment initiation service providers (PISPs) and account information service providers (AISPs) respectively from storing and requesting sensitive payment data related to payment accounts).
In addition, it is worth noting that some data may fall under both the definition of sensitive payment data from a PSD2 perspective and under the special categories of data under GDPR. For example, biometric data used for the purposes of the authentication of the PSU (which thus constitute an element of the personalised security credentials) is regarded as a sensitive data under the payment services and data protection legal framework.
Consent to the data processing
As to the definition of consent of the data subject/PSU to the processing of data under the relevant legal frameworks, the Bank of Italy noted that the European Data Protection Board ("EDPB") clarified that PSPs may process data necessary to the provision of payment services on the basis of a specific and explicit consent under the agreement. The consent set out under Article 94 PSD2 and Article 29 of Decree 11 would thus have a contractual nature, differently from the consent requested pursuant to GDPR. However, it should be kept in mind that a privacy consent is not required when the processing of personal data is functional to the performance of the agreement (on the contrary, a consent would be required for telephone marketing, which is not essential for the performance of the agreement).
The Bank of Italy explanatory document is available here (in Italian only).
Authored by Jeffrey Greenbaum, Massimiliano Masnada, Elisabetta Zeppieri, Valerio Natale, Antonio Rossi
