EDPB Statement on Financial Data Access and Payments Package

EDPB, EU law | | By

On 23 May 2024, the European Data Protection Board (EDPB) adopted Statement 2/2024, focusing on the European Commission’s legislative proposals for Financial Data Access (FIDA), Payment Service Regulation (PSR), and Payment Service Directive (PSD3). The European Commission published the proposals on 28 June 2023, intending to build on existing frameworks like the Second Payment Services Directive (PSD2). These proposals aim to enhance consumer protection, competition in electronic payments, and empower consumers to share their data for accessing diverse financial products.

Key Recommendations

Transaction Monitoring Mechanism

The EDPB stresses the necessity of clear rules for the recording and disclosure of personal data in transaction monitoring mechanisms (TMM) under the PSR. Recommendations include:

  • Specifying categories of personal data processed.
  • Documenting reasons for data processing.
  • Limiting access to authorized personnel.
  • Informing data subjects about data processing criteria.

Obligations for AISPs and PISPs

For AISPs and PISPs, the EDPB emphasizes:

  • Transparency in informing account servicing PSPs about the customer account and legal basis for data access.
  • Data minimization, ensuring access to only necessary personal data.

Legal Meaning of ‘Permission’

The EDPB advocates for a clear distinction between ‘permission’ and GDPR consent, recommending amendments in the PSR Proposal to prevent confusion and ensure proper legal interpretation.

Permission Dashboards

The EDPB calls for:

  • Specifications in the PSR to prevent undue influence on users in granting or withdrawing permissions.
  • Requirements in the FIDA for data users to inform data holders about the legal basis for accessing personal data.

Processing of Special Categories of Personal Data

The EDPB urges:

  • Specific designations of payment services allowed to process special categories of personal data.
  • Justifications for processing such data should be provided in the legislative text.

Regulatory Cooperation

The EDPB recommends explicit references to cooperation between financial and data protection authorities for effective enforcement and information exchange.

👉 Find the Statement here.

♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.

Keep reading

Scroll to Top